dcrat | 95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
Size

1.7MB
MD5

68a655281c115869e423c1d7f5bea01d
SHA1

8193dcbfd44ca6bad7dd4c5824f9e0d4495220c2
SHA256

95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d
SHA512

c72d216bc5172e259226c624023aaf869cfdbebb29b2aa8421a15363f9c3c29acedb3436dbb829afce50aa13935f06c6baf40b3523c912ded39fb82f9b21c1db
SSDEEP

49152:D+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvS:uTHUxUoh1IF9gl2d

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	4744	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	4744	schtasks.exe	82

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4944-1-0x0000000000AA0000-0x0000000000C60000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b81-30.dat	dcrat
behavioral2/files/0x000e000000023b86-69.dat	dcrat
behavioral2/files/0x000c000000023b78-80.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2192	powershell.exe
4668	powershell.exe
2632	powershell.exe
4884	powershell.exe
3200	powershell.exe
2476	powershell.exe
4656	powershell.exe
4664	powershell.exe
1544	powershell.exe
4172	powershell.exe
4140	powershell.exe
756	powershell.exe
1408	powershell.exe
2176	powershell.exe
3080	powershell.exe
1404	powershell.exe
1912	powershell.exe
516	powershell.exe
3668	powershell.exe
3872	powershell.exe
4068	powershell.exe
1664	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe

Executes dropped EXE 11 IoCs

pid	Process
1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2772	explorer.exe
4656	explorer.exe
3184	explorer.exe
4884	explorer.exe
5012	explorer.exe
4052	explorer.exe
2932	explorer.exe
1296	explorer.exe
4772	explorer.exe
2936	explorer.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\RCX84C6.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX89EB.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\sppsvc.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files (x86)\Windows Sidebar\0a1fd5f707cd16	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files\Windows Portable Devices\95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files\dotnet\shared\RCX8739.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files\dotnet\shared\RCX87B7.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files\Windows Security\69ddcba757bf72	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files\7-Zip\9e8d7a4ca61bd9	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\RCX8535.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files (x86)\Microsoft\lsass.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files (x86)\Windows Sidebar\sppsvc.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files\dotnet\shared\services.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\ea9f0e6c9e2dcd	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\lsass.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files\Windows Security\smss.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files (x86)\Microsoft\6203df4a6bafc7	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files\dotnet\shared\c5b4cb5e9653cc	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files\Windows Portable Devices\d07013de5a29e5	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files\Windows Portable Devices\95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files\7-Zip\RuntimeBroker.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files\dotnet\shared\services.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX89EC.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files\Windows Security\smss.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files\7-Zip\RuntimeBroker.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\e6c9b481da804f	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Windows\ModemLogs\OfficeClickToRun.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Windows\ModemLogs\OfficeClickToRun.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1940	schtasks.exe
4088	schtasks.exe
844	schtasks.exe
5040	schtasks.exe
4492	schtasks.exe
1696	schtasks.exe
1392	schtasks.exe
1384	schtasks.exe
1368	schtasks.exe
1576	schtasks.exe
2620	schtasks.exe
3852	schtasks.exe
3428	schtasks.exe
1996	schtasks.exe
3220	schtasks.exe
1288	schtasks.exe
3456	schtasks.exe
4576	schtasks.exe
1508	schtasks.exe
4536	schtasks.exe
1956	schtasks.exe
3636	schtasks.exe
3652	schtasks.exe
1108	schtasks.exe
5048	schtasks.exe
3328	schtasks.exe
936	schtasks.exe
2972	schtasks.exe
2716	schtasks.exe
2936	schtasks.exe
3092	schtasks.exe
1288	schtasks.exe
992	schtasks.exe
1060	schtasks.exe
2564	schtasks.exe
804	schtasks.exe
4804	schtasks.exe
2820	schtasks.exe
4504	schtasks.exe
4288	schtasks.exe
4596	schtasks.exe
3360	schtasks.exe
1444	schtasks.exe
3304	schtasks.exe
212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
4140	powershell.exe
2192	powershell.exe
2192	powershell.exe
4668	powershell.exe
4668	powershell.exe
2632	powershell.exe
2632	powershell.exe
3200	powershell.exe
3200	powershell.exe
2476	powershell.exe
2476	powershell.exe
516	powershell.exe
516	powershell.exe
4884	powershell.exe
4884	powershell.exe
3668	powershell.exe
3668	powershell.exe
756	powershell.exe
756	powershell.exe
1912	powershell.exe
1912	powershell.exe
756	powershell.exe
516	powershell.exe
3668	powershell.exe
1912	powershell.exe
4140	powershell.exe
2192	powershell.exe
4140	powershell.exe
2192	powershell.exe
4668	powershell.exe
4884	powershell.exe
2632	powershell.exe
3200	powershell.exe
2476	powershell.exe
1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	516	powershell.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	4172	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	2772	explorer.exe
Token: SeDebugPrivilege	4656	explorer.exe
Token: SeDebugPrivilege	3184	explorer.exe
Token: SeDebugPrivilege	4884	explorer.exe
Token: SeDebugPrivilege	5012	explorer.exe
Token: SeDebugPrivilege	4052	explorer.exe
Token: SeDebugPrivilege	2932	explorer.exe
Token: SeDebugPrivilege	1296	explorer.exe
Token: SeDebugPrivilege	4772	explorer.exe
Token: SeDebugPrivilege	2936	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 1912	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	98
PID 4944 wrote to memory of 1912	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	98
PID 4944 wrote to memory of 4140	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	99
PID 4944 wrote to memory of 4140	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	99
PID 4944 wrote to memory of 2192	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	100
PID 4944 wrote to memory of 2192	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	100
PID 4944 wrote to memory of 4884	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	101
PID 4944 wrote to memory of 4884	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	101
PID 4944 wrote to memory of 3200	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	102
PID 4944 wrote to memory of 3200	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	102
PID 4944 wrote to memory of 756	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	103
PID 4944 wrote to memory of 756	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	103
PID 4944 wrote to memory of 516	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	104
PID 4944 wrote to memory of 516	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	104
PID 4944 wrote to memory of 4668	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	105
PID 4944 wrote to memory of 4668	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	105
PID 4944 wrote to memory of 3668	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	106
PID 4944 wrote to memory of 3668	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	106
PID 4944 wrote to memory of 2476	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	107
PID 4944 wrote to memory of 2476	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	107
PID 4944 wrote to memory of 2632	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	108
PID 4944 wrote to memory of 2632	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	108
PID 4944 wrote to memory of 2556	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	120
PID 4944 wrote to memory of 2556	4944	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	120
PID 2556 wrote to memory of 4976	2556	cmd.exe	122
PID 2556 wrote to memory of 4976	2556	cmd.exe	122
PID 2556 wrote to memory of 1068	2556	cmd.exe	126
PID 2556 wrote to memory of 1068	2556	cmd.exe	126
PID 1068 wrote to memory of 4656	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	160
PID 1068 wrote to memory of 4656	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	160
PID 1068 wrote to memory of 3872	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	161
PID 1068 wrote to memory of 3872	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	161
PID 1068 wrote to memory of 4068	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	162
PID 1068 wrote to memory of 4068	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	162
PID 1068 wrote to memory of 1408	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	163
PID 1068 wrote to memory of 1408	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	163
PID 1068 wrote to memory of 2176	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	164
PID 1068 wrote to memory of 2176	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	164
PID 1068 wrote to memory of 3080	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	165
PID 1068 wrote to memory of 3080	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	165
PID 1068 wrote to memory of 1404	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	166
PID 1068 wrote to memory of 1404	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	166
PID 1068 wrote to memory of 1664	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	167
PID 1068 wrote to memory of 1664	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	167
PID 1068 wrote to memory of 4664	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	168
PID 1068 wrote to memory of 4664	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	168
PID 1068 wrote to memory of 1544	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	169
PID 1068 wrote to memory of 1544	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	169
PID 1068 wrote to memory of 4172	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	170
PID 1068 wrote to memory of 4172	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	170
PID 1068 wrote to memory of 4600	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	182
PID 1068 wrote to memory of 4600	1068	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	182
PID 4600 wrote to memory of 4544	4600	cmd.exe	184
PID 4600 wrote to memory of 4544	4600	cmd.exe	184
PID 4600 wrote to memory of 2772	4600	cmd.exe	185
PID 4600 wrote to memory of 2772	4600	cmd.exe	185
PID 2772 wrote to memory of 3560	2772	explorer.exe	186
PID 2772 wrote to memory of 3560	2772	explorer.exe	186
PID 2772 wrote to memory of 4412	2772	explorer.exe	187
PID 2772 wrote to memory of 4412	2772	explorer.exe	187
PID 3560 wrote to memory of 4656	3560	WScript.exe	190
PID 3560 wrote to memory of 4656	3560	WScript.exe	190
PID 4656 wrote to memory of 3608	4656	explorer.exe	191
PID 4656 wrote to memory of 3608	4656	explorer.exe	191

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
"C:\Users\Admin\AppData\Local\Temp\95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eWhsSkPG6t.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4976
- - C:\Users\Admin\AppData\Local\Temp\95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
    "C:\Users\Admin\AppData\Local\Temp\95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4172
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xCAXv7Dxyd.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4600
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4544
    - - C:\Recovery\WindowsRE\explorer.exe
        
        "C:\Recovery\WindowsRE\explorer.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5531099-efb2-4e5d-bc00-02b144d3f0a0.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Recovery\WindowsRE\explorer.exe
        
        C:\Recovery\WindowsRE\explorer.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb495b6b-6551-4014-b314-727294d416d2.vbs"
        8⤵
        
        PID:3608
        
        C:\Recovery\WindowsRE\explorer.exe
        
        C:\Recovery\WindowsRE\explorer.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c5412b6-8f8b-495a-ab54-45a7923d41a2.vbs"
        10⤵
        
        PID:3224
        
        C:\Recovery\WindowsRE\explorer.exe
        
        C:\Recovery\WindowsRE\explorer.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\856cd982-984e-45c4-b424-70f4bd062b31.vbs"
        12⤵
        
        PID:1872
        
        C:\Recovery\WindowsRE\explorer.exe
        
        C:\Recovery\WindowsRE\explorer.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\093a85c4-b22f-499f-8824-09070cbf8fef.vbs"
        14⤵
        
        PID:748
        
        C:\Recovery\WindowsRE\explorer.exe
        
        C:\Recovery\WindowsRE\explorer.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ea41ec3-a4d5-4df1-96f9-ad72956ea436.vbs"
        16⤵
        
        PID:4320
        
        C:\Recovery\WindowsRE\explorer.exe
        
        C:\Recovery\WindowsRE\explorer.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa5ffaae-7570-479b-afe5-6a8b1d77431b.vbs"
        18⤵
        
        PID:1008
        
        C:\Recovery\WindowsRE\explorer.exe
        
        C:\Recovery\WindowsRE\explorer.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10c1445e-776e-47d6-a210-8b7fbb798b53.vbs"
        20⤵
        
        PID:836
        
        C:\Recovery\WindowsRE\explorer.exe
        
        C:\Recovery\WindowsRE\explorer.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\894fae53-05aa-4b86-a33d-9e3c9fcc3faa.vbs"
        22⤵
        
        PID:3232
        
        C:\Recovery\WindowsRE\explorer.exe
        
        C:\Recovery\WindowsRE\explorer.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\feb3ad2b-4ed9-48e2-bef4-d01699d28c88.vbs"
        24⤵
        
        PID:1040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a25f37bf-e843-41e2-b5e9-79f4f76a88d0.vbs"
        24⤵
        
        PID:4652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\731ec87e-1d28-4b92-88ec-a10eefa2561f.vbs"
        22⤵
        
        PID:3100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d144d6a2-0b03-47d7-8106-e83a161415c0.vbs"
        20⤵
        
        PID:3388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21e6286a-a35c-4020-bcb7-4fa17bcba889.vbs"
        18⤵
        
        PID:4944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecb6733e-ed25-4f32-a831-f56b264557d7.vbs"
        16⤵
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44562d5f-65b2-464b-9557-a9f8a23c102d.vbs"
        14⤵
        
        PID:916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94cb4683-ce75-4c85-9c1f-087621870c5e.vbs"
        12⤵
        
        PID:2208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3cc8ade-71d8-4534-b60b-5f8d9a078dcc.vbs"
        10⤵
        
        PID:2248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20ab5068-f842-4bec-b3b0-4a68d2aac843.vbs"
        8⤵
        
        PID:2972
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76881f56-af34-47a4-9e3b-f5af98c857bf.vbs"
        6⤵
        
        PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\shared\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\shared\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d9" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d9" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\ModemLogs\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Local Settings\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Local Settings\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\7-Zip\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\lsass.exe

Filesize
1.7MB

MD5
adc1863357729224ecbadd3210f6d9e5

SHA1
6bba184b2c53ab59d37e91171b53fb95f07eb0de

SHA256
5b1244f243b1161d5041f5763385b404ac89bb6da8cf52d34b38a2d5846a3df1

SHA512
0514f582ea2866b7ff68f7df29ec07acff897a6576b347bcef101fc7c6c392aa8a7d173d4631c3b7e8b866b746ced0851469e67ef4621a59d4af0991c5ccb4b5

Download Submit
C:\Program Files\Windows Portable Devices\95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe

Filesize
1.7MB

MD5
68a655281c115869e423c1d7f5bea01d

SHA1
8193dcbfd44ca6bad7dd4c5824f9e0d4495220c2

SHA256
95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d

SHA512
c72d216bc5172e259226c624023aaf869cfdbebb29b2aa8421a15363f9c3c29acedb3436dbb829afce50aa13935f06c6baf40b3523c912ded39fb82f9b21c1db

Download Submit
C:\Program Files\dotnet\shared\services.exe

Filesize
1.7MB

MD5
a363addee7dea743cac9f041c9c4a7ca

SHA1
04e3de71e607df02fabf0ea2e8675a6acd45db01

SHA256
0df5f8d0921265ec5c96262a4818dea58a7fdcee3097fe75f11a88a38098816e

SHA512
288ec0e28e4f6dcd2c06a95f90896e9786b26b62788e7ef2ec9948dfe6fdb944dd865d6bc534920ce15a10d3860bab59dd4f31e73819c2bb5a8671227ebeb588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd98baf5a9c30d41317663898985593b

SHA1
ea300b99f723d2429d75a6c40e0838bf60f17aad

SHA256
9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96

SHA512
bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
46bf20e17dec660ef09b16e41372a7c3

SHA1
cf8daa89a45784a385b75cf5e90d3f59706ac5d5

SHA256
719589acc67594a2add00dca3c097551163199edbdd59a7f62f783871ef96e17

SHA512
91225c1aac17fa26ec00913d5e96950ed11d44a1fd28f34a1810fe143176864cf2b9624dc053183d8f28db5a3903c5e092aab180fb21ce2a3775223ee111df54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e353a3578e26f6852a6d04758c70e377

SHA1
c2fa777e81e31806b6b3d4af58e23e1853a767f2

SHA256
66ef4591b6a55fa8fada2db4d7132731bcf0ad5139ef8858e04e6dba8b7be744

SHA512
fe0c7afbcbf6b8e55830b4c6db156e1449b2ab3284e1ec402cd6e73051b49312de9681e93fa16a583db48e0c53cc3d2e337709c67ddf037b819e8221d30339d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b801d886e417a9bf405b2f0092e04fe1

SHA1
fa99fefa2f49af240141692f78c8c28f04205389

SHA256
57b1c29eef54567fcfdaa28d2923485cb6f77bb76dc54235965fb34f02a42636

SHA512
b2c8bf95b4c25d7fff388b5f3e04212c43af9588f7aed8a7cb251330ee18c89789eb1d294b8449ec2afeb9b5373d7a6dce8f4369b84cbfb6a7c7813341fa07ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d3e8199b4634731cf0a0c26c1f14f588

SHA1
7f8fae27eb80055a436a6b5457978f32673d9ad4

SHA256
ef33f487f93c2977e92fb08d6bdcc9d48b5d1864c402f9d3fbf3e1b30e8b3b9a

SHA512
806a123100dbc1ca1b27bbad5b93c3a9a840dc795127af8523333a71259a8c5ef8aefccb83ef390f2644e013f138c4b7b63c584acccb197aada0c70c038032e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aba273eeba4876ea41ee0e64b4cbb51d

SHA1
bef5f75b81cf27268dc0d0f30f00b022f9288db9

SHA256
67fc3f5c3407858793c6fac6131b0f340667ffc567fa76b43245ecf2621322c9

SHA512
23dc2f0cfc68194dcbf407a6528cf9f9a8aa89f4821be22413bde036ae5ca44144b568aa3160372b9741f3d0f5baa48dff8a8b582bdedc3ad3fb121af340c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
32b16440fab3a1055d9c22b90935bdfb

SHA1
ee350c4a65b81468487a3660dfe4f373660b9070

SHA256
ee68b728a82fefc941eba10390d9d70f5aeb442039c901eaf9a18477761cfd35

SHA512
5a1f36ab56e25548fd2875d364cfec39830e855b89628718f786bb8158147ee6fd66f2b7477d1b57b0d8cec5b8f10d173face18f4131ecec0dc67ca9ae56216c

Download Submit
C:\Users\Admin\AppData\Local\Temp\093a85c4-b22f-499f-8824-09070cbf8fef.vbs

Filesize
710B

MD5
7ec11ec0c74c9cf49fb672977a565b81

SHA1
ef4a56bc976254eb3deb480bf9c95b8095196ddd

SHA256
efe41f2364dc31918c40f9a3427bdf14067ca67f0aafd5c01c3baf660001f442

SHA512
405c26489d9b772a6db710a04e69d1f6dcc5bcd440ad06a95393e0ee77da5acc22f58a1ea99fc367c616b9b7c424d1542083d98bab01868472fae5cd046646d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10c1445e-776e-47d6-a210-8b7fbb798b53.vbs

Filesize
710B

MD5
4f9442107e8e342440fd6daeb84376a9

SHA1
94901638418d945b998acb8edb1d5cc86593aa7b

SHA256
0ff515cf578b30c89afbed4c9b4d62fd96aa7453d5b69d00a0df33f7fd6e9192

SHA512
c523e93d09a0f85bdd1e6946a7bf4bfd478941b2a3d621db45f4954e49e3ba3aa0ddbeeb5e1112f538e35dbe6518ac5d97ca460b2fd32c59c2a5cf41348b751f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ea41ec3-a4d5-4df1-96f9-ad72956ea436.vbs

Filesize
710B

MD5
0846189bc521f4f8dabaeb3441229653

SHA1
5e908161d9d768411de6f235a552cc51a9c0c0e4

SHA256
13018442753027b4fcc19c540bc8adf9a71e55228cc4b88f35ef56f836a41716

SHA512
d07f240ee210a4a62bb496df1073cc8b07e551009590a1609897f16cbd85cdcc30ade0b5fe7675180fff755164ca2c7212c7c8cce185b9b06c30b6d4c1761c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c5412b6-8f8b-495a-ab54-45a7923d41a2.vbs

Filesize
710B

MD5
c0abbafc0f83be4174659f6a5c9a0d8a

SHA1
3dd73b4d1bf8f83b4fb9c116a72a320b7302de47

SHA256
4bc59ba27e178b3d465434cf4fe11ca76ee8152560bf16e698e26aec9bc27993

SHA512
07b105b2f818fd9f56dce54e726790f01097e3974852e99d131403b0f2c1aeeff4afa1eae0e05852667198392c39992097fef62d91ec12011a367566ed49a58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\76881f56-af34-47a4-9e3b-f5af98c857bf.vbs

Filesize
486B

MD5
420cd591757cd76bd3f830591749c7ee

SHA1
a03b43c1cd6c3f32c808a4138443f64fd944043d

SHA256
d8f29ce640dd3d5ffce7aa4a8b76109b1a10481d242ab11c3218f7ab2941c47c

SHA512
0bd7535668d24512b757b43fdbf16012645e20014e3d4f6dbc6e2c8fdf6e4b861eb7ddbd3b86a44d6845e1a7acd1ecbdf27a7fb17e15da1f5eb43ab51c05b137

Download Submit
C:\Users\Admin\AppData\Local\Temp\856cd982-984e-45c4-b424-70f4bd062b31.vbs

Filesize
710B

MD5
f5835635f69325cd0bd5de43fa39e693

SHA1
2dd77176a771ab457d86bfb69d3d4008ad982e0c

SHA256
66fe8c15a0139ac63f957ced767db1eacf7ecd408bc5f4579bd2e53cd933c7f9

SHA512
ac4f3b4efd4fbe727e8928120483c784d8b03dcb802b8cd88cfdce1f9ff7c8600550cf891194c2066464a21d9255ed06ed4dd8d84b7254b18aa8e57d63c270f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\894fae53-05aa-4b86-a33d-9e3c9fcc3faa.vbs

Filesize
710B

MD5
5816e38ceb03bf3a8fb7c5ab9c1eac65

SHA1
34f8a9a59a2661b7c5fc10f0a14cb6bdfe38b23a

SHA256
4609a41a27421ab161900a17a1f90c1c59b090d9b7662b74a746bda8d75d4e12

SHA512
19003b099e970eb56d1bcaf226aad831e077b1032980d68e0d9b255390c154510694b0445e929235e1b9c12b7f8fc780c902c151af3ef95b703fed4d9f218c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tf14s4xw.rb5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa5ffaae-7570-479b-afe5-6a8b1d77431b.vbs

Filesize
710B

MD5
7e5840dc99c0f17c7259bc4f714f2dba

SHA1
538111e43c8c28cab21e4262a2fe908b3cca3508

SHA256
10def48d6e24b2a0182bd2afbb9f613f8a74dc936047b9b9bcd1b77f022923dd

SHA512
611ccc4100f2246c88c57114d39582cdfbbf042564e8bdd512271cbd6023744d1609e50adf0b1c0ec8bc85b3df3cc90464bdd9af13ffc761632d473d4acbd3ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5531099-efb2-4e5d-bc00-02b144d3f0a0.vbs

Filesize
710B

MD5
4435d52baa3c747e722bd405652e2537

SHA1
468ae39491e6e7a9ddd4ef528eb7ce815badacdc

SHA256
22ae265b9e18009eb9fcbf06ba90bad8d6e2d176f6711c330dfac5b4dbd54a08

SHA512
8401e1f28ab41f9276a617055761384b8972353e95ad63c005dba275eda7eb7130a8b6847ea3b9ac4f263edc9c5495d071c2b39a84e3ae0f63155d7a70a75743

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb495b6b-6551-4014-b314-727294d416d2.vbs

Filesize
710B

MD5
64629b71e2da85a7bfd2add8ce0f96dd

SHA1
e83e2ec51c756b8ac536486d996a5ba69b2e6e0d

SHA256
1fa66af287a2fde0dd468b98939202910075d643b015555f2b6096f2c5f3c655

SHA512
9d8f1a612637d27ec840d1fcbb79c6db83a0d8fc0ca3865fa52d451cc0134a0e7fe72925a5fc4c2dd59e2eb350383f125ab83efc3e3be6155fba64742237145d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eWhsSkPG6t.bat

Filesize
267B

MD5
a0c8f97f9d28ecb0408460084ca796b6

SHA1
3b4a2bde9be6505bb330ba054c1bb04573f96702

SHA256
1e8206f4ece7f3efde92e822e0f4534118bf729451a851d60d45078cfc075279

SHA512
1102b36c9a9fa199acea0c66b3945b535098e38b17e5356ecdcb01e65c0f26c9c331e25ceb661b2578d60c3df21f434d599c5873d38103ecafe32781fedbfa7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xCAXv7Dxyd.bat

Filesize
199B

MD5
9fb83deb22fbd6d8395cb0b36b876655

SHA1
b7a31b94dec2d7c8921697b510a8fe09096fb2b3

SHA256
1bd46ba6b57c913bd34e9cd3687d7be1e27322c49286bf7d4045fb7fc7e1d140

SHA512
682eb5bad1c95713a32d99e679dca77c0577427e4e62850b7b2b3b96ae6910fda3671074a1a8ef46fd9c1e1b1d9c5a5990df9301827af0cbc607445c76f45d1f

Download Submit
memory/1068-228-0x000000001B2E0000-0x000000001B2F2000-memory.dmp

Filesize
72KB

Download
memory/2192-105-0x0000028D50DE0000-0x0000028D50E02000-memory.dmp

Filesize
136KB

Download
memory/2932-465-0x00000000030E0000-0x00000000030F2000-memory.dmp

Filesize
72KB

Download
memory/4944-0-0x00007FFDBF313000-0x00007FFDBF315000-memory.dmp

Filesize
8KB

Download
memory/4944-10-0x000000001B7D0000-0x000000001B7D8000-memory.dmp

Filesize
32KB

Download
memory/4944-7-0x000000001B7B0000-0x000000001B7C6000-memory.dmp

Filesize
88KB

Download
memory/4944-4-0x000000001B800000-0x000000001B850000-memory.dmp

Filesize
320KB

Download
memory/4944-5-0x0000000002CF0000-0x0000000002CF8000-memory.dmp

Filesize
32KB

Download
memory/4944-6-0x0000000002D00000-0x0000000002D10000-memory.dmp

Filesize
64KB

Download
memory/4944-3-0x0000000002CC0000-0x0000000002CDC000-memory.dmp

Filesize
112KB

Download
memory/4944-2-0x00007FFDBF310000-0x00007FFDBFDD1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-14-0x000000001B7F0000-0x000000001B7FC000-memory.dmp

Filesize
48KB

Download
memory/4944-9-0x0000000002DC0000-0x0000000002DCC000-memory.dmp

Filesize
48KB

Download
memory/4944-15-0x000000001B870000-0x000000001B87A000-memory.dmp

Filesize
40KB

Download
memory/4944-8-0x0000000002D10000-0x0000000002D20000-memory.dmp

Filesize
64KB

Download
memory/4944-1-0x0000000000AA0000-0x0000000000C60000-memory.dmp

Filesize
1.8MB

Download
memory/4944-12-0x000000001B7E0000-0x000000001B7F2000-memory.dmp

Filesize
72KB

Download
memory/4944-101-0x00007FFDBF310000-0x00007FFDBFDD1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-18-0x000000001C1B0000-0x000000001C1BC000-memory.dmp

Filesize
48KB

Download
memory/4944-17-0x000000001C1A0000-0x000000001C1A8000-memory.dmp

Filesize
32KB

Download
memory/4944-16-0x000000001C190000-0x000000001C19E000-memory.dmp

Filesize
56KB

Download
memory/4944-13-0x000000001C4C0000-0x000000001C9E8000-memory.dmp

Filesize
5.2MB

Download
memory/4944-23-0x00007FFDBF310000-0x00007FFDBFDD1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-22-0x00007FFDBF310000-0x00007FFDBFDD1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-19-0x000000001C1C0000-0x000000001C1CC000-memory.dmp

Filesize
48KB

Download